Data protection and data security with Google Drive

Google Drive is one of the best-known file hosting services. Google Drive enables its users to save documents in the CloudGoogle Drive allows users to share files and edit documents together. Google Drive includes Google Docs, Sheets, Slides and Forms, an office software package that enables the shared editing of documents, spreadsheets, presentations etc. Files shared publicly on Google Drive can be found using Internet search engines. So far, so good. But how does Google Drive deal with the Data protection? What do companies need to consider if they want to use the service?

Data protection requirements for cloud service providers from third countries

One of the most important innovations of the General Data Protection Regulation is the establishment of the so-called marketplace principle. If a company, regardless of where in the world it is based, offers products or services to citizens of the European Union, it must comply with the requirements of the GDPR keep. Conversely, European companies are obliged to ensure that data exports to a cloud provider are protected under data protection law.

Within the EU, data processing agreements are concluded for this purpose in accordance with Art. 28 GDPR closed. Become personal data outsourced to a service provider based in a third country, whereby access for occasional "troubleshooting" is sufficient, must generally be Standard contractual clauses and additional, supplementary measures are taken to ensure an adequate level of data protection in the third country.

Supplementary measures can be taken in a Encryption or one Anonymization of the data to be exported. The Confidentiality data against access by authorities or secret services, which can be done completely legally in the USA. With the Encryption it should be noted that the key remains in the hands of the client, i.e. not with Google in this case.

What does Google offer its customers after "Schrems II"?

The answer to this question has to be rather flippant: Google offers quite a lot, but unfortunately hardly anything useful. For example, there is no information according to Art. 13 GDPR for the Google Drive product, but for all Google services: "This privacy policy applies to all services offered by Google LLC and its affiliates, including YouTubeAndroid and services provided on third-party websites, such as advertising services." It could hardly be more confusing and, in the opinion of the author of these lines, violates the transparency obligations of the GDPR. Even the numerous videos on data protection do not change this. Clear and simple language would be much more helpful.

With regard to the transfer of data to the USA, Google is working with the new Standard contractual clauses and offers a pre-filled sample of Module 2 EU controller-to-processor. However, the Transparency data protection and Google Drive also fall by the wayside here if, for example, Annex I of the Standard contractual clauses the data categories are described as follows: "Family, lifestyle and social circumstances, including any information relating to the family of the data subject and the data subject's lifestyle and social circumstances, including details of family and other household members, habits, housing, travel details, leisure activities, and membership of charitable or voluntary organizations." There are similar all-encompassing descriptions for "Personal details", "Employment details", "Financial details", "Education and training details", etc. Again, this is not really transparent.

Transfer Impact Assessment

With the new Standard contractual clauses There is now an obligation to carry out a "Transfer Impact Assessment", a comprehensive, case-by-case Data protection impact assessment before a third country transfer. The following control question must be answered: Can and will Google fulfill its contractual obligations under the GDPR actually comply? To answer this question, you would have to click through the numerous documents, annexes, videos and other links that Google has provided here. It remains to be seen whether all the information for a reliable statement can be found in the end.

And now?

As a thoroughly standardized "Internet giant", Google will hardly respond to the need for clarification of small and medium-sized companies, not even with regard to Google Drive and the General Data Protection Regulation. The conclusion of the offered Standard contractual clauses will be based on the "eat or die" principle. Companies should therefore proactively take further security measures and, if they decide to use Google Drive, only upload highly encrypted data and not hand over the key.

This would be one way of ensuring at least some level of data protection for Google Drive in Germany. After all, there will be a long way to go before the homomorphic Encryption still take some time. 2B Advice will be happy to support your company with a data protection assessment of the use of Google Drive, in particular with the implementation of the transfer impact assessment.